An Efficient Scheme for Detecting Malicious Nodes in Mobile ad Hoc Networks December 1. 2006 Jong Oh Choi Department of Computer Science Yonsei University jochoi@emerald.yonsei.ac.kr
Contents Motivation / Introduction Related works Proposed Scheme: efficient scheme for detecting malicious nodes in mobile ad hoc network Scenarios Case 1 : A malicious node drops Case 2 : A malicious node modifies Case 3 : disguise of another node (false report) Case 4 : another node temporary false report Case 5 : normal node malicious node (false report) Apply to AODV-based Proposed scheme Environments for performance Evaluation Conclusions 2/21
Motivation MANET Have focused on wireless channel access Multi hop routing based on an assumption that network elements operate in friendly and cooperative environment. Actual network environment Malicious nodes and uncooperative situation may occur in MANET There is growing need for security scheme that guarantees secure communications between mobile nodes In this paper Propose a scheme capable of effectively detecting malicious node that normally operates during determination of route over MANET 3/21
Introduction MANET( challenges to security design) Open Peer to Peer network architecture Wireless medium share Stringent resource constraints Highly dynamic network topology battlefield, emergency, conference Vulnerable & Critical To attack Must be Prevented, detected and reacted As soon as possible! Two approaches to protect MANET Proactive : Prevention (secure routing) Reactive : detection and reaction (secure packet forwarding) 4/21
Introduction Two approach to protect the MANET Proactive : Malicious node is detected and excluded from network so as to determine a routing route with only frendly and cooperative nodes Reactive When attacker compromises the MANET, malicious node is detected and excluded from the network In this paper : Reactive method In Exist study : focus on detection of node that maliciously drops or modifies Is not provide method of identifying malicious node that makes a false report of normal node In this paper Propose scheme that not only identifies malicious node, which drops or modifies packets, using a reporting table storing previous report lists, but also detect malicious node that make a false report of normal node, thus degrading the network performance. 5/21
Related works Attack of Routing All actions that are not delivery routing information from being transmitted according to routing scheme for MANET DSR : modify source route in the RREQ & RREP Deleting node, appending node, Switching order AODV : advertise false routing information Smaller distance metric, large sequence number In this Result Attract network traffic certain destination (under their control) Non-optimal or non existent route Routing loops, Congestion, partition in the network 6/21
Algorithms for detecting malicious node in MANET Proposed Algorithm A method of detecting malicious node that falsely reports normal node using report table listing report and suspect. Table Node A, B, Node A, B, er Suspect Table er Suspect B C E F B C S A B C Data D drop G H Table er Node A, B, Suspect Table er Node A, B, Suspect B C B C 7/21
In this Proposed Algorithm processing After node B transmits to node C, stores copy of in buffer of node B Node B s transmission of node C (to determine whether node C transmits to destination node D) IF node B does not transmission of node C within time node B increase failure tally of node C If tally>threshold, misbehavior, the misbehavior is reported to all nodes in proposed scheme immediately detecting and removing malicious (but, node S is report unicast in watchdog ) If all node receiving report determine same reporter and suspect in its report table ignore Else added to list in report table 8/21
Operations of proposed Scheme Operations of proposed scheme (Flowchart) store copy of in buffer after transmission next node s transmission within time N Increase Failure tally Y Threshold excess Y N Delete of copy in buffer Ignore Y Broadcast of report message Y Receive of report message Y The same report list exists in report table Y message drop N Update report table, re-broadcast of report message 9/21
Scenarios Case 1 : A malicious node drops Malicious node C is not transmit to destination D and drops the Node B cannot transmission of node C within predetermined length of time. Node B understand node C does not transmit. Thus, Node B reports node C as malicious node S A B C Data D drop 10/21
Scenarios Case 2 : A malicious node modifies Malicious node C arbitrarily modify header and content receiving from node B transmits the modified to node D Node B s transmission of node C After node B compares transmitted with copy of stored in buffer of node B copy of stored in buffer of node B Node C s transmission Node B reports node C as malicious node S A B C D H I Data modify J K 11/21
Measures against Case 1,2 In the report, 1 s report list is recorded in total report table After node S received B s report, IF S is not receive ACK from destination D Node S determines malicious node in current route, sets up a new route other node (L,K) will report node C as a malicious node(2,3) when Malicious node is not forward, malicious node continuously record in suspect list. when number of malicious node = 2, and number of suspect node C s list=3 (suspect node count >malicious node count) node C is as malicious node and exclude it from further network L Data S A B C drop/ D modify Table er B L K Node A Suspect C C C K 1 2 3 12/21
Scenarios Case 3 : disguise of another node (false report) To prevent false report, disguising itself as normal node using other node ID, Asymmetric encryption using Private key and public key If node B disguise itself as normal node X and submit a false report message R, node B does not known private key Kx - and must encrypt the false report message R using its Private key K B- and broadcast the false report message R Each nodes receiving false report consider node X s report and decodes it using the public Key Kx + of node X But report message R was not encrypted using Private key Kx - False report message R cannot be encrypted error, R KB - (Private Key) Encryption KB - (R) (R) Node J KX + (Public Key) Decryption KX + (K (KB - (R))=???? Node B Node L Node K 13/21
Scenarios Case 4 : another node temporary false report Malicious node M is false report temporary node X irrespective forwarding 1 report list After Malicious node M is current location and move to other location, M is false report to temporary node(y,z) : 23 List of report node M > threshold in table node M identifies false report, thus is not participate network operation M S A B C D Node A Table er M Suspect X 1 M M Y Z 2 3 14/21
Scenarios Case 5 : normal node malicious node (false report) IF Malicious node B is false report to the normal node C Malicious node B drops ACK from normal node D, Node S sets up new route without whether of Node B is false Total node is added list with report of node B : 1 Node B is false report in new route 23 report list add List of False report node B is added in report list, Common suspect node not exist in suspect list detect Node B s false report report S A B C D Node A Table er B B B Suspect C M J 1 2 3 15/21
AODV-based proposed Scheme A method of applying the proposed scheme to AODV In the below Fig, when node A broadcasts RREQ message, malicious node B receives and re broadcasts RREQ message. Normal node (E,C,F) receive RREQ message from malicious node B, realize that node B is malicious node from their report tables. do not allow transmission of RREQ message to other nodes in the network, so excluding node B from route. 16/21
Evaluation Malicious node : 6, Pause time : 0,600 Sec Malicious node : 3, Pause time : 0,600 Sec Average Loss rate : Analytic Loss rate(%) vs. Time (sec) Performance improvement : loss rate decrease (10-20%) The Longer time, the less loss rate in proposed Scheme Proposed scheme identifies malicious node over network and excludes them from new determined route, thereby preventing attacks by malicious node, reducing loss rate. Average loss rate of Malicious node(3) decrease to malicious node(6) 17/21
Evaluation Malicious node : 6, Pause time : 0,600 Sec Malicious node : 3, Pause time : 0,600 Sec Average Transmission rate : Analytic Delivery vs. Time Transmission rate of Proposed Scheme is higher than in AODV (loss rate of proposed scheme is lower than AODV) Malicious node(3) is numerous transmission than Malicious node(6) In case of Pause time(600 sec) Loss rate is low, Data Transmission is numerous when malicious nodes frequently move, they are highly likely to be included in new route. Network loss rate is high, 18/21 transmission is low.
Evaluation Transmission gains and overhead in AODV and proposed scheme - Overhead : Proposed Control Packet AODV Control Packet (byte) - Transmission gains : Transmission of Proposed scheme - Transmission of AODV (byte) Proposed scheme generates numerous control message than AODV in network layer ( when malicious node is identified in Proposed scheme, broadcasting of report table in network) but, As Control Packet is several byte, Data Packet is several hundred=> Proposed scheme obtains more transmission gains with less overhead in overall network transmission rates. 19/21
Conclusions summarize detects malicious node that normally operates during determination of a route but abnormally operates during transmission over network, using a report message and a report table specifying a pair of a reporter node and a suspect node. The more malicious nodes over network, the more mobility of malicious node, the greater rate of loss, the less rate of transmission Proposed Scheme better than AODV In future work Must further be improved to provide more extensive security during determination of route over the MAMET 20/21
Thank you 21/21